RUMORS OF WORMS AND TROJAN HORSES
Danger Lurking in the Public Domain
introduced and edited by Mike Guffey
-INTRODUCTION
There are literally thousands of free (or nearly free) programs
available in computerdom's Public Domain. Those who use them save
hundreds of dollars and thousands of hours. But many sneer at
the idea of anything worthwhile being "free". Thus personal
computing becomes divided into two camps: those who believe there
are two camps and the rest who use Public Domain software (but
sport no sense of moral superiority).
For several years now rumors have circulated about dangerous
programs which, when run, infest the innards of personal
computers like parasites. And unlike most software, these
insideous programs don't go away when the power is shut off. The
story is they invade ROMs and "eat" memory away each time
hardware is powered up.
The legends have a basis in fact. For such horrors =do= exist in
the world of mainframes. Probably first created by a bored or
disgruntled programmer, such programs have been unleashed inside
some of this country's largest computers. Generally, they are
not outwardly visible, but begin the attack like a low grade
fever. And these horrible little strings of code do damage a
little at a time, slowly building in intensity. At first, things
start going slightly awry. Ultimately, the system crashes or
must be shut down. One recent magazine article called these
creations "computer viruses". Just =how= damaging such programs
can be (or have been) has not been fully publicized. But the
facts lie on a razor's edge between science fiction and
tomorrow's headlines. They are believed to pose a serious
potential threat to national security.
Some say the first of such monsters appeared on computer bulletin
boards (BBS's) named "WORM.COM". [Remember that it is only
recently that any online descriptions began to be posted next to
program names. Some BBS's, notably CP/M based systems, still do
not offer any explanation beyond the program name or notes in the
associated message base part of the system.] And almost every
computer user group has at least one experienced member who can
tell the horrible tales of what these programs do. Actual
witnesses to the destruction or victims of the atrocities seem to
be =very= rare.
Related to the twisted thinking behind such criminal mischief is
the so-called "TWIT" phenomenon. Twits are computer vandals who
glory in breaking into and "crashing" or seriously damaging
remote computer systems. The targets range from neighborhood
BBS's to any large computers which can be accessed via phone
lines. And while such mental midgets have bee·hglorified in the
media and mis-labeled as "hackers", their very existence causes
hysteria in and amongst the non-computing public at large.
Computer security for large and small remote computer systems is
getting better at screening out or scaring off "twits". But they
still exist. There are indications that some have graduated from
incessant attempts to break into BBS's. Instead they bring forth
Trojan horses: damaging programs disguised as utilities and
mis-labled or misdocumented as new treasures of the Public
Domain.
===]#[===
The following data was recently retreived from a California BBS:
WARNING! DANGEROUS PROGRAMS
1) Warning: Someone is [or may be] trying to destroy your data.
Beware of a SUDDEN upsurge of [spurious] programs on Bulletin
Boards and in the Public Domain. These programs purport to be
useful utilities, but, in reality, are designed to sack your
system.
One has shown up as EGABTR, a program that claims to show you how
to maximize the features of IBM'S Enhanced Graphics Adapter. It
has also been spotted renamed as a new super-directory program.
It actually erases the (F)ile (A)llocation (T)ables on your hard
disk, [thereby rendering all data useless and inaccessible]. For
good measure, it asks you to put a disk in Drive A:, then another
in Drive B:. After it has erased those FATs too, it displays,
" Got You! Arf! Arf! "
Don't [casually] run any public-domain program that is not a
known quantity. Have someone you know and trust vouch for it.
ALWAYS examine it FIRST with DEBUG [or DDT or a similar
utility]. Look at all the ASCII strings and data. If there is
anything even slightly suspicious about it, [either] do a cursory
disassembly [or discard it]. [For MSDOS programs] be wary of
disk calls (INTERRUPT 13H), especially if the program has no
business writing to the disk. Run your system in Floppy only
mode with write protect tabs on the disk or junk disks in the
drives.
Speaking of Greeks bearing gifts, Aristotle said that the
unexamined life is not worth living. The unexamined program [may
not be] worth running.
- from The Editors of PC
July 23, 1985
Volume 4, Number 15
2) Making the rounds of the REMOTE BULLETIN BOARDS [is] a program
called VDIR.COM. It is a little hard to tell what the program is
suppose to do.
What it actually does is TRASH your system. It writes garbage
onto ANY disk it can find, including hard disks, and flashes up
various messages telling you what it is doing. It's a TIME BOMB:
once run, you can't be sure what will happen next because it
doesn't always do anything immediately. At a later time, though,
it can CRASH your system. Anyway, you'd do well to avoid
VDIR.COM. I expect there are a couple of harmless, perhaps even
useful, Public Domain programs floating about with the name VDIR;
and, of course, anyone warped enough to launch this kind of trap
once, can do it again. Be careful about untested "free"
software.
[paraphrased from
Computing at Chaos Manor
From the living Room
By Jerry Pournelle
BYTE Magazine, The small systems Journal]
Two other examples of this type of program:
1. STAR.EXE presents a screen of stars then copies RBBS-PC.DEF
and renames it. The caller then calls back later and d/l the
innocently named file, and he then has the SYSOP'S and all the
Users passwords.
2. SECRET.BAS This file was left on an RBBS with a message saying
that the caller got the file from a mainframe, and could not get
the file to run on his PC, and asked someone to try it out. When
it was executed, it formatted all disks on the system.
We must remember, that there are a few idiots out there who get
great pleasure from destroying other peoples' equipment.
Perverted I know, but we, the serious computer users, must take
an active part in fighting against this type of stuff, to protect
what we have. Be sure to spread this [message] to other BBS's
across the country so that as many people as possible will be
aware of what is going on.
[from
The Flint Board
Flint, Mich
(313) 736-8031]
===]#[===
-EPILOGUE
Got your attention? There is no need to hatchet your modem and
erase your communications software. While such programs can do
tremendous damage, they are, fortunately, very rare. The
following is an expansion of the countermeasures suggested
above.
A) Never, NEVER, N>E>V>E>R>! download and run Public Domain
software (the first time) on a hard disk. While many programs
are well known, it is a logical presumption that Trojan
horse-type programs may have been uploaded with the name of a
well-known utility. Or as a new version of one of your old
favorites. Download them to a blank floppy or to a disk you have
a current backup copy of.
B) Get in the habit of examining unknown software with HEX/ASCII
utilities that will reveal copyright data, documentation, program
error and prompt messages. A good choice in MSDOS is called
PATCH.COM and in CP/M there is DUMPX.COM. Even if a program is
written in protected BASIC, you may still be able to find some
useful data this way. [This is also a way to find documentation
within programs without .DOC files or descriptions.]
C) Be wary of text files suggesting patches with DEBUG or DDT
that you do not understand. ALWAYS make such modifications to a
backup copy of your .COM, .EXE, .OVR files. There are no known
examples of Trojan horses appearing this way, but...
D) Make those BBS's which screen programs before making them
available your first (but not your only) choice for acquiring new
PD software. If you cannot figure out what a program does,
=don't= upload it to some other BBS.
E) Be wary but not paranoid. Be careful but not overcautious.
Do not fan the fires of hysteria by passing along rumors of worms
and Trojan horses. Speak of what you =know=. There are alot of
good public domain programs that will do what you need. And when
you find it, pass it along.
-end-